Contain a leaked key
1. Write a detection rule
Investigate ▸ SIEM ▸ Detection rules — match blocked-secret guardrail events, grouped by key, with a threshold:
- Match:
category = guardrail.triggeredANDaction = BLOCKAND matched categorySECRET - Group by: the offending key
- Threshold: count ≥ 5 within 10 minutes
This catches a leaked key (or a compromised application) repeatedly trying to exfiltrate secrets, without alerting on a single stray match. The match expression uses the same grammar everywhere:
{
"all": [
{ "field": "category", "equals": "guardrail.triggered" },
{ "field": "attributes.action", "equals": "BLOCK" },
{ "field": "attributes.category", "equals": "SECRET" }
]
}
2. Route the alert
Govern ▸ Notifications ▸ Routing — send siem.detection events to an email or HMAC-signed webhook channel (your pager, a Slack-compatible webhook, or the in-app bell).
3. Add the SOAR rule
Investigate ▸ SOAR ▸ Rules — same match, harder trigger, reversible action:
- Group by: the offending key · Threshold: ≥ 10 in 5 minutes · Cooldown: 30 minutes
- Action:
quarantine— the key goes into the reversibleSUSPENDEDstate and aSecurityActionTakenevent is recorded.
4. Review the containment
SOAR ▸ Actions (platform admin): when the rule fires, mark the action CONFIRMED — or un-suspend the key if it was a false positive. Permanent revocation stays a manual act, so automation can never irrecoverably cut off a tenant.
Verify
Drive blocked-secret calls from one key — the Guardrails ▸ Test tab plus the Playground make this easy — and watch, in order: the detection fire in SIEM, the alert arrive on your channel, the key flip to SUSPENDED, and the action appear in the review feed. Un-suspend the key when done.
Why it works
SOAR consumes the same normalized event stream as everything else and takes reversible actions with a cooldown, so a burst of noise cannot cascade into permanent damage. The detection rule (alert at 5) firing before the SOAR rule (contain at 10) gives a human a head start on the automation.
Next
- SIEM, UEBA & SOAR — the full security-operations model, including UEBA baselines.